Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2424
Views
0
Helpful
3
Replies

Problem with shell command authorization

Go to solution
dtangent
Level 1
Level 1

‎08-11-2003 09:13 PM - edited ‎03-10-2019 07:26 AM

I ran into this issue with both ACS 3.1 and ACS 3.2

A shell command authorization set is created under the shared profile components with the following settings:

Unmatched Commands: deny

Permit Unmatched Args: UNCHECKED

The command allowed is "show", with Arg "permit ver", "permit interface", and "permit run"

This authorization set is then applied to the group, under the option "Assign a Shell Command Authorization set for any network device."

Enable option for that group is set to "Max Privilege for any AAA Client, level 15"

This configuration is then tested against two IOS switches, with the aaa commands as follow:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

The problem I am having is that when an user that falls under this group logs in, he/she can issue commands such as show ver, show run, and show int just like I would expect it to. Any command that doesn't start with a show.... is denied. However, other show commands that are not listed in the Args will work, while some won't. For example, "show arp" and "show vlan" worked, while "show accounting" and "show buffer" didn't. What am I missing?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yusuff
Cisco Employee
Cisco Employee

‎08-11-2003 10:33 PM

commands that are working without you defining them explicitly are of lower Privilege level than 15... eg; 'show arp' is a Priv-1 command, hence it is execuatbel without command authorization as you are not doing command authorization for Priv-1.

Router>sh priv

Current privilege level is 1

Router>

Router>

Router>show arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.5.2 24 0000.abcd.abcd ARPA Ethernet0/0

Internet 10.1.5.3 - 0003.abcd.abcd ARPA Ethernet0/0

Router>

Router>

View solution in original post

0 Helpful
3 Replies 3

Go to solution
yusuff
Cisco Employee
Cisco Employee

‎08-11-2003 10:33 PM

commands that are working without you defining them explicitly are of lower Privilege level than 15... eg; 'show arp' is a Priv-1 command, hence it is execuatbel without command authorization as you are not doing command authorization for Priv-1.

Router>sh priv

Current privilege level is 1

Router>

Router>

Router>show arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.5.2 24 0000.abcd.abcd ARPA Ethernet0/0

Internet 10.1.5.3 - 0003.abcd.abcd ARPA Ethernet0/0

Router>

Router>

0 Helpful

Go to solution
dtangent
Level 1
Level 1
In response to yusuff

‎08-12-2003 08:57 AM

Adding the aaa command, "aaa authorization commands 1 default group tacacs+ local" fixed it. Thanks for the response.

0 Helpful

Go to solution
m.penta
Level 1
Level 1
In response to dtangent

‎09-03-2003 07:06 AM

I have the same problem, and adding the "aaa authorization commands 1 default group tacacs+" command the results is the same: it doesn't work correctly...

I have:

"Unmatched Cisco IOS commands"---> Deny

"Command"---> show

"Arguments"---> permit ip route

"Unlisted arguments"---> deny

These parameters are the same in the group and in the user setting, but I've tried several solution, with no good results...

The version of CiscoSecure is 2.4 for WinNT.

There is a solution?

0 Helpful
Customers Also Viewed These Support Documents